Hotel guests' urgent warning as 6-month cyberattack on major chain shares booking data

Hotel guests' urgent warning as 6-month cyberattack on major chain shares booking data The chain confirmed information exposed in the breach includes 'certain guests names, email addresses, telephone numbers, and/or home addresses, along with other reservation details' Hotel guests have been warned to watch out for convincing scam messages after a data breach at a major hotel chain. Data including personal details of people booked to stay at one of the chain hotels was exposed over a six month period. BWH Hotels, the parent company for WorldHotels, Best Western Hotels & Resorts, and Sure Hotels notified customers of the breach in an email when it said "certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details" had been accessed between October 14, 2025 and April 22. It added: "Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed." It confirmed the firm had taken action to stop the unauthorised access and that it was also taking steps to strengthen safeguards to stop any further breaches. And they urged any affected customers to take steps to ensure any scammers did not take advantage of them, warning them to be extra vigilant about unexpected emails, texts, WhatsApp messages or calls referencing hotel stays. Now privacy experts have warned the concern is not only what was stolen, but how that information could be used next. Hotel booking data can make follow-up scams look far more believable because criminals may be able to reference real stays, dates, locations or reservation numbers. Peter Nguyen, a privacy expert from Protect My Data, says travellers should not dismiss this kind of breach just because payment details were not exposed. "A hotel reservation contains more useful information than people realise. "A scammer does not always need your card number to target you. If they know your name, phone number, hotel, stay dates and booking reference, they can make a fake message look extremely convincing. "That is the risk with travel data. It gives criminals context. Instead of sending a vague scam, they can contact you with details that feel personal and accurate.” Nguyen says guests should be especially careful with any unexpected message claiming there is a problem with a booking, payment, refund or reservation. He warned a scammer could pretend to be from the hotel, a booking platform, customer support team or payment department. The message may claim a card needs to be reverified, a stay could be cancelled, a refund is waiting, or extra information is needed before arrival. He said: "The most dangerous message is one that sounds helpful. It might say your booking needs confirming, your payment failed, or your refund is ready. Because it references a real hotel stay, people are more likely to click. "If the message asks for payment, codes, logins or verification, do not engage through that message. Go directly to the hotel or booking platform yourself." Nguyen says WhatsApp and SMS messages are particularly risky because they feel more direct. "A text or WhatsApp message creates urgency. It feels like someone is dealing with your booking right now. That pressure makes people act faster than they would with an email." BWH Hotels’ own warning urged customers not to engage with suspicious communications asking for payment, codes, logins or verification, even if they reference a BWH Hotels property or an upcoming reservation. Why reservation data is so valuable Many people worry most about card details in a breach, but Nguyen says contact and booking information can still create serious risk. He explained: "Names, phone numbers and email addresses are the starting point for phishing. Add reservation details and the scam becomes much more targeted.” "A criminal could send a message saying, ‘Your stay at this property on this date needs confirmation.’ That feels completely different from a generic scam email because it contains something real." He said postal addresses can also make scams more credible. He explained: "If a scammer has your address, they can make a fake message feel more official. They might use it in a fake invoice, refund notice, complaint response or identity check." Special requests may also reveal details guests did not expect to become part of a security issue. "People sometimes include personal information in hotel requests, such as accessibility needs, arrival times, family arrangements or reasons for travel. Even small details can help scammers tailor their approach." What guests should do now Nguyen says anyone who has stayed with, or booked through, a BWH Hotels property during the affected period should be alert, but not panic. He added: "The first step is awareness. If you receive a message about a Best Western, WorldHotels or SureStay booking, slow down and verify it independently." He advised guests to avoid clicking links in unexpected messages. "Open the official hotel website yourself, use the original booking confirmation, or contact the property through a trusted number," he said. "Do not use a number or link sent in a suspicious message." Guests should also be careful if they are asked to confirm personal information, he said. "A genuine hotel may need basic details to find your booking, but they should not ask for banking codes, account passwords or card security codes through an unexpected message.” If someone has clicked a suspicious link or shared card details, Nguyen says they should contact their bank immediately. He warned: "Speed matters. If you entered payment details, call your bank straight away. If you entered a password, change it immediately, especially if you use it anywhere else." He also recommends securing email accounts, as email is often the route scammers use to reset other accounts. "Your email account is the front door to much of your digital life," he said. "Use a strong, unique password and switch on two-factor authentication." Why this warning matters for summer travel The breach comes as many travellers are booking summer stays, weekend breaks and last-minute trips. Nguyen says that makes hotel-related scams especially dangerous. "Travel season gives scammers a huge advantage. People are expecting hotel messages, payment reminders and booking updates. That makes fake messages easier to hide among real ones." He says guests should be particularly wary of messages close to their check-in date. "A message sent shortly before a stay can create panic. If it says your room will be cancelled unless you act now, that is exactly when you need to stop." The safest rule, Nguyen says, is to treat unexpected booking messages as suspicious until proven otherwise. He said: "If a message knows your hotel and dates, that does not automatically make it real. It may simply mean the scammer has booking data. Do not let accurate details rush you into clicking. Verify through the official route every time." In its email, signed by Bill Ryan Chief Technology Officer of the hotel chain and sent last month, it said: "BWH Hotels, the parent company for WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, takes the privacy and security of our guests’ personal information very seriously. We are writing to let you know that on April 22, 2026, we identified unauthorised activity in one of our web applications that houses certain guest reservation data. "We have learned that certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details (e.g., reservation numbers, dates of stay, and any special requests) for reservations in our system were accessed by an unauthorised third‑party between October 14, 2025 and April 22, 2026, including yours. Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed. "Upon discovering the incident, we immediately took the application offline and revoked the unauthorised access. We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards. "We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or “verification,” even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links. As part of protecting your personal information and to prevent payments to fraudulent parties, here are some precautions you can take: - Stay alert for suspicious sender addresses, urgent or unexpected unsolicited requests, and strange links, especially any unexpected request for payment or personal information. Treat any suspicious request with caution. If you have a question regarding a suspicious request, please contact our customer service team - Scammers may create webpages that closely resemble legitimate hotel booking pages. Always review the web address before entering payment details. If a page looks unexpected or unfamiliar, stop and verify it with our customer service team before proceeding. If you entered or shared any payment (credit card) information in response to a scam, please immediately report it to your financial institution and follow security steps they recommend. If you have any questions, please contact BWH Hotels' data protection office at [email protected]